Cloud computing allows users to utilize off-site computing infrastructure, often in an overseas jurisdiction, as a platform for running networked applications and storing data, among other tasks. There are several competing definitions of cloud computing, but the definition introduced by the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce, is widely regarded as the de facto definition. The definition has also been adopted by a number of governments worldwide, such as Australia.
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Because data stored in cloud services are accessed via the Internet, there is a growing concern about data protection and privacy due to surveillance of data. This entry highlights some criminal activity associated with cloud computing, discusses the expanding practice of government surveillance of online data, examines individual privacy concerns related to cloud computing, and concludes with suggestions about how cybersecurity and individual privacy can coexist.
While cloud computing can potentially result in significant cost reduction and convenience for both individual and organizational users (e.g., the capability to share and access data in real time in the always connected “cloud” from devices such as smartphones), users need to be aware of the privacy risks associated with the use of cloud computing services. In May 2014, for example, a significant number of Australian Apple iOS devices were reportedly hijacked and locked for ransom. Subsequent investigations determined that the affected users’ iCloud accounts had been compromised, and affected users who did not set a passcode prior to the hack had to reset their devices to factory settings. The latter resulted in the erasure of all user data stored on the affected devices. In another high-profile incident, a number of iCloud accounts belonging to several celebrities were reportedly compromised in September 2014, which resulted in the theft of photos (many of which were intimate) from these accounts. The incident was subsequently confirmed by Apple.
Therefore, to keep pace with the growth and changing face of criminal activity, particularly to ensure that evidential data can be forensically recovered, a number of governments have undertaken measures to enhance their technical capability (in some instances, seeking to circumvent or weaken existing security measures) and introduce legislation that allows national security and law enforcement agencies to conduct online surveillance. For example, in September 2014, Australian government agencies successfully lobbied for new legal powers to put Internet users under surveillance.
Legitimate surveillance by government agencies (e.g., law enforcement, criminal intelligence, and national security agencies) can be an effective crime deterrence measure and can allow these agencies to gather evidence, monitor the behavior of known offenders, and reduce the public’s fear of crime. For example, analysis of intelligence gathered from different or disparate data sets (e.g., data from the cloud and big data applications) may facilitate the prediction of major impending events and identify connections between individuals of interest.
Due to the advancement of ICT and the interconnectedness of our society, however, the scope and reach of online surveillance by governments are being expanded, sometimes to the detriment of individual privacy. For example, when we upload or store our data (e.g., photos, videos, documents) in one of the cloud computing services, do we know the path of the transmitted data (i.e., through which countries or Internet service providers our data will be routed) or whether anyone is collecting and analyzing our transmitted or stored data?
While there is a legitimate need for cooperation between cloud service providers and governments, there are also concerns about cloud service providers being compelled to scan or search data of interest to national security and to report on, or monitor, particular types of transactional data. The concern is generally not about the privacy rights of criminals or terrorist suspects but the unintended collateral damage where the privacy of innocent individuals and ordinary citizens may be compromised in such surveillance programs (e.g., when finer-granulated aspects of an individual’s life are derived or inferred from the intelligence collection and analysis).
It is unsurprising that cloud user data privacy has emerged as a salient area of inquiry for researchers and a growing concern for public policy and the public, particularly in societies where individuals place a significant value on privacy (including against government intrusion).
Concerns about wide-scale government surveillance targeting the cloud computing ecosystem and about the invasion of individual cloud user data privacy are not restricted to authoritarian societies but also pertain to liberal democracies, particularly after September 11, 2001. In 2013, for example, Edward Snowden, a former U.S. National Security Agency (NSA) contractor, leaked NSA documents that indicated that the agency allegedly undertook broad online surveillance activities. The activities included intercepting and collecting information from non-U.S. citizens (as well as U.S. citizens if they were conversing with a foreign target) and targeting organizations such as major U.S. cloud computing service providers.
In response to the NSA surveillance revelations, the European Parliament conducted an inquiry on the impact of the surveillance program on European Union (EU) citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs. In a February 2014 report by the Committee on Civil Liberties, Justice and Home Affairs, it was determined that these programs allowed for the mass surveillance of Internet users
While intelligence derived from online surveillance programs is typically used in preemption responses (also known as anticipatory self-defense), in combating terrorism and other criminal activities, and in the shaping of government responses to national and cybersecurity threats, the inquiry by the European Parliament in 2014 determined that the broad-based NSA surveillance programs are not justifiable and are “incompatible with the principles of necessity and proportionality in a democratic society” (p. 20/62). The negative impacts due to the NSA revelations include an estimated lost revenue of up to US$35 billion for the U.S. cloud computing industry by 2016. Some scholars and commentators have also expressed concerns about the negative impact of NSA surveillance programs on the security of the Internet and the cloud computing ecosystem.
Attempts to define privacy in a legal context in the United States date back to 1890. Samuel Warren and Louis Brandeis, in their 1890 article “The Right to Privacy,” contended that the scope of privacy rights over the years has gradually broadened from the “right to life” to the “right to enjoy life, the right to be let alone, and the right to liberty secures the exercise of extensive civil privileges” (p. 193).
Although the right to individual privacy is guaranteed by Article 8 of the European Convention on Human Rights (designed to protect individuals from intrusions into their privacy or private life and, more broadly, against the improper collecting, storing, sharing, and use of their data), recent debates and incidents such as the NSA surveillance programs suggest that overseas (e.g., non-EU) cloud service providers may not be legally obliged to notify EU cloud users (the owners of the data) about such requests. Only 3 years before the NSA surveillance revelations, Kim-Kwang Raymond Choo had posited that foreign intelligence services and industrial spies may not disrupt the normal functioning of an information system as they are mainly interested in obtaining information relevant to vital national or corporate interests. They do so through clandestine entry into the cloud computing infrastructure/ecosystem as part of their information-gathering activities.
Some threat actors (see Table 1 ) are better resourced than others to carry out more sophisticated malicious activities, although most threat actors are unlikely to have unlimited repertoires. To carry out sophisticated targeted attacks (also known as advanced persistent threats), it is likely that the attackers would require considerably more resources and possibly be state sponsored/affiliated.
The contention between the need for cybersecurity and ensuring individual privacy is not new. In our attempts to address the many, and potentially thorny, issues in this contention, we need to understand and recognize the tensions between the need for cybersecurity and for ensuring individual privacy. As these two objectives may also be mutually incompatible or inconsistent with each other, potential solutions are likely required to have trade-offs.
A key research question, therefore, is “How do we balance the need for a secure cloud computing ecosystem and the rights of individuals to privacy against the need to protect society from serious and organized crimes and terrorism and safeguard cybersecurity and national security interests?”
Given the relatively new and changing aspects of cloud computing technologies and their use, it is important to bring highly technical expertise and social research capacity together. In addition, online surveillance activities cannot be self-symbiotic as they are affected by many factors. While it is important to focus on an individual country or government, we also need to look at the macrolevel (e.g., market and intergovernmental levels). The institutional isomorphism theory, for example, explains that “external actors may induce an organization to conform to its peers by requiring it to perform a particular task and specifying the profession responsible for its performance.” In other words, institutions (e.g., governments) are “morally governed”—known as the normative pillar or normative isomorphism—without the need for a coercive framework, and misdeeds and noncompliance are “punished” by way of social, economic, and/or political sanctions.
Therefore, only by interdisciplinary collaboration can we begin to tackle cyberspatial threats, as it would allow us to better address the knowledge and research gaps in the existing evidence base and would contribute to fill the strategic, operational, and policy vacuum. Bringing together interdisciplinary and international perspectives will also ensure that developments in ICT, political, geographical, socioeconomic, legal, and regulatory issues are well understood and can be used to refine policy strategies without infringing on civil liberties such as individual privacy.
Kim-Kwang Raymond Choo
See also Computer Surveillance ; Inverse Surveillance ; Privacy, Internet
Apple. “Update to Celebrity Photo Investigation.” Apple Media Advisory (September 2, 2014). http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html (Accessed September 2017).
Apple Insider Staff. “Hackers Use ‘Find My iPhone’ to Lockout, Ransom Mac and iOS Device Owners in Australia.” Apple Insider (May 26, 2014). http://appleinsider.com/articles/14/05/27/hackers-break-into-lock-macs-and-ios-devices-for-ransom-in-australia (Accessed October 2014).
Castro, Daniel. How Much Will PRISM Cost the U.S. Cloud Computing Industry? Washington, DC: Information Technology and Innovation Foundation, 2013. http://www2.itif.org/2013-cloud-computing-costs.pdf (Accessed October 2014).
Choo, Kim-Kwang Raymond. “Cloud Computing: Challenges and Future Directions.” Trends & Issues in Crime and Criminal Justice, v.400 (2010). http://www.aic.gov.au/media_library/publications/tandi_pdf/tandi400.pdf (Accessed October 2014).
Choo, Kim-Kwang Raymond. “A Conceptual Interdisciplinary Plug-and-Play Cyber Security Framework.” In H. Kaur and X. Tao (eds.), ICTs and the Millennium Development Goals: A United Nations Perspective. New York, NY: Springer, 2014.
DiMaggio, Paul and Walter Powell. “The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organizational Fields.” American Sociological Review, v.48/2 (1983).
European Parliament. “Report on the US NSA Surveillance Programme, Surveillance Bodies in Various Member States and Their Impact on EU Citizens’ Fundamental Rights and on Transatlantic Cooperation in Justice and Home Affairs” (February 21, 2014). http://www.europarl.europa.eu/document/activities/cont/201403/20140306ATT80632/20140306ATT80632EN.pdf (Accessed October 2014).
Gellman, Barton and Todd Lindeman. “Inner Workings of a Top-Secret Spy Program.” The Washington Post (June 29, 2013). http://apps.washingtonpost.com/g/page/national/inner-workings-of-a-top-secret-spy-program/282/ (Accessed October 2014).
Greenwald, Glenn. “XKeyscore: NSA Tool Collects ‘Nearly Everything a User Does on the Internet’.” Guardian (July 31, 2013). http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data (Accessed October 2014).
Hooper, Christopher, et al. “Cloud Computing and Its Implications for Cybercrime Investigations in Australia.” Computer Law and Security Review, v.29/2 (2013).
Kelion, Leo. “Apple Toughens iCloud Security After Celebrity Breach.” BBC News (September 17, 2014). http://www.bbc.com/news/technology-29237469 (Accessed October 2014).
Martini, Ben and Kim-Kwang Raymond Choo. “An Integrated Conceptual Digital Forensic Framework for Cloud Computing.” Digital Investigation, v.9/2 (2012).
Martini, Ben and Kim-Kwang Raymond Choo. “Cloud Storage Forensics: ownCloud as a Case Study.” Digital Investigation, v.10/4 (2013).
Martini, Ben and Kim-Kwang Raymond Choo. “Distributed File System Forensics: XtreemFS as a Case Study.” Digital Investigation, v.11/4 (2014). doi:10.1016/j.diin.2014.08.002.
Mell, Peter and Timothy Grance. The NIST Definition of Cloud Computing. Gaithersburg, MD: National Institute of Standards and Technology, 2011. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf (Accessed October 2014).
National Institute of Standards and Technology. “NIST Cloud Computing Program” (2015). http://www.nist.gov/itl/cloud/index.cfm (Accessed September 2017.
Quick, Darren and Kim-Kwang Raymond Choo. “Digital Droplets: Microsoft SkyDrive Forensic Data Remnants.” Future Generation Computer Systems, v.29/6 (2013).
Quick, Darren and Kim-Kwang Raymond Choo. “Dropbox Analysis: Data Remnants on User Machines.” Digital Investigation, v.10/1 (2013).
Quick, Darren and Kim-Kwang Raymond Choo. “Forensic Collection of Cloud Storage Data: Does the Act of Collection Result in Changes to the Data or Its Metadata?” Digital Investigation, v.10/3 (2013).
Quick, Darren and Kim-Kwang Raymond Choo. “Google Drive: Forensic Analysis of Cloud Storage Data Remnants.” Journal of Network and Computer Applications, v.40 (2014).
Quick, Darren, et al. Cloud Storage Forensics. Waltham, MA: Syngress, 2014.
Ratcliffe, Jerry. Video Surveillance of Public Places (Police Response Guides Series No. 4). Washington, DC: Office of Community Oriented Policing Services, 2006.
Staten, James. “The Cost of PRISM Will Be Larger Than ITIF Projects.” Forrester Research Blog (August 15, 2013). https://www.forbes.com/sites/forrester/2013/08/15/the-cost-of-prism-will-be-larger-than-itif-projects/#6f4be0cd795f (Accessed September 2017).
Warren, Samuel D. and Louis D. Brandeis. “The Right to Privacy.” Harvard Law Review, v.4/5 (1890).